Go to file
VirtuBox 65d70288ca add new conf 2018-08-03 12:40:15 +02:00
docs add new conf 2018-08-03 12:40:15 +02:00
etc add new conf 2018-08-03 12:40:15 +02:00
scripts add new conf 2018-08-03 12:40:15 +02:00
var/www add wp-cli section 2018-07-06 13:48:34 +02:00
.gitignore add new conf 2018-08-03 12:40:15 +02:00
LICENSE Initial commit 2017-12-13 08:39:52 +01:00
README.md add error pages and some config 2018-07-28 23:59:45 +02:00
common.zip php7.1-fpm and php7.2-fpm conf 2018-02-04 14:04:04 +01:00

README.md

Optimized configuration for Ubuntu server with EasyEngine


Server Stack

  • Ubuntu 16.04/18.04 LTS
  • Nginx 1.15.x / 1.14.x
  • PHP-FPM 7/7.1/7.2
  • MariaDB 10.3
  • REDIS 4.0
  • Memcached
  • Fail2ban
  • Netdata
  • UFW

All Instructions and informations are listed on the Github page

Configuration files with comments and informations available by following the link source

Initial configuration

System update and packages cleanup

apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean

Install useful packages

sudo apt install haveged curl git unzip zip fail2ban htop nload nmon ntp -y

Tweak Kernel & Increase open files limits

source sysctl.conf - limits.conf source

modprobe tcp_htcp
wget -O /etc/sysctl.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.conf
sysctl -p
wget -O /etc/security/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/security/limits.conf

disable transparent hugepage for redis

echo never > /sys/kernel/mm/transparent_hugepage/enabled

EasyEngine Setup

Install MariaDB 10.3

Instructions available in VirtuBox Knowledgebase

curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
| sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale
sudo apt update && sudo apt install mariadb-server percona-xtrabackup-24 -y

MySQL Tuning

You can download my example of my.cnf, optimized for VPS with 4GB RAM. my.cnf source

wget -O /etc/mysql/my.cnf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/mysql/my.cnf

It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration :

sudo service mysql stop

sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak

sudo service mysql start

Increase MariaDB open files limits

wget -O /etc/systemd/system/mariadb.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/mariadb.service.d/limits.conf

sudo systemctl daemon-reload
sudo systemctl restart mariadb

Install EasyEngine

# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email
sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig'

wget -qO ee rt.cx/ee && bash ee

enable ee bash_completion

source /etc/bash_completion.d/ee_auto.rc

Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend

ee stack install
ee stack install --php7 --redis --admin --phpredisadmin

Set your email instead of root@localhost

echo 'root: my.email@address.com' >> /etc/aliases
newaliases

Install Composer - Fix phpmyadmin install issue

cd ~/ ||exit
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer

chown www-data:www-data /var/www
sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/

Allow shell for www-data for SFTP usage

usermod -s /bin/bash www-data

PHP 7.1 & 7.2 Setup

Install php7.1-fpm

# php7.1-fpm
apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl

wget -O /etc/php/7.1/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/pool.d/www.conf

wget -O /etc/php/7.1/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.1/fpm/php.ini
service php7.1-fpm restart

Install php7.2-fpm

# php7.2-fpm
apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2  php7.2-zip php7.2-mysql  php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y

wget -O /etc/php/7.2/fpm/pool.d/www.conf https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/pool.d/www.conf

wget -O /etc/php/7.2/fpm/php.ini https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/etc/php/7.2/fpm/php.ini
service php7.2-fpm restart

add nginx upstreams

wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf
service nginx reload

add ee common configuration

cd /etc/nginx/common || exit
wget https://virtubox.github.io/ubuntu-nginx-web-server/files/common.zip
unzip common.zip

Compile last Nginx mainline release with nginx-ee script

bash <(wget -O - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh)

Custom configurations

clean php-fpm php.ini configuration

# PHP 7.0
wget -O /etc/php/7.0/fpm/php.ini https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/php/7.0/fpm/php.ini
service php7.0-fpm restart

Nginx optimized configurations

# TLSv1.2 TLSv1.3 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx.conf

# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-intermediate.conf

# TLSv1.2 only
wget -O /etc/nginx/nginx.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/nginx-tlsv12.conf

Nginx configuration for netdata & new upstreams

# custom conf for netdata metrics (php-fpm & nginx status pages)
wget -O /etc/nginx/sites-available/default  https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/default

# add netdata, php7.1 and php7.2 upstream
wget -O /etc/nginx/conf.d/upstream.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/upstream.conf

# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
wget -O /etc/nginx/sites-available/22222 https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/sites-available/22222

Increase Nginx open files limits

sudo mkdir -p /etc/systemd/system/nginx.service.d
wget -O /etc/systemd/system/nginx.service.d/limits.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/systemd/system/nginx.service.d/limits.conf

sudo systemctl daemon-reload
sudo systemctl restart nginx.service

wpcommon-php7x configurations

  • webp rewrite rules added
  • DoS attack CVE fix added
  • php7.1 & php7.2 configuration added
# 1) add webp mapping
wget -O /etc/nginx/conf.d/webp.conf  https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/conf.d/webp.conf

# 2) wpcommon files
# php7
wget -O /etc/nginx/common/wpcommon-php7.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php7.conf

# php7.1
wget -O /etc/nginx/common/wpcommon-php71.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php71.conf

# php7.2
wget -O /etc/nginx/common/wpcommon-php72.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/wpcommon-php72.conf

nginx -t
service nginx reload

Security

Harden SSH Security

WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only source

wget -O /etc/ssh/sshd_config https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/ssh/sshd_config

UFW

Instructions available in VirtuBox Knowledgebase

# enable ufw log - allow outgoing - deny incoming
ufw logging low
ufw default allow outgoing
ufw default deny incoming

# SSH - DNS - HTTP/S - FTP - NTP - SNMP - Librenms - Netdata - EE Backend  
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 21
ufw allow 123
ufw allow 161
ufw allow 6556
ufw allow 19999
ufw allow 22222

# enable UFW
ufw enable

Custom jails for fail2ban

  • wordpress bruteforce
  • ssh
  • recidive (after 3 bans)
  • backend http auth
  • nginx bad bots
wget -O /etc/fail2ban/filter.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ddos.conf
wget -O /etc/fail2ban/filter.d/ee-wordpress.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/filter.d/ee-wordpress.conf
wget -O /etc/fail2ban/jail.d/custom.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/custom.conf
wget -O  /etc/fail2ban/jail.d/ddos.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/fail2ban/jail.d/ddos.conf

fail2ban-client reload

Secure Memcached server

echo '-U 0' >> /etc/memcached.conf
sudo systemctl restart memcached

Optional tools

ee-acme-sh

Github repository - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers

  • subdomain support
  • ivp6 support
  • wildcards certificates support
wget -O install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh
chmod +x install-ee-acme.sh
./install-ee-acme.sh

# enable acme.sh & ee-acme-sh
source .bashrc

netdata

Github repository


bash <(curl -Ss https://my-netdata.io/kickstart.sh) all

# save 40-60% of netdata memory
echo 1 >/sys/kernel/mm/ksm/run
echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs

# disable email notifications
sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
service netdata restart

bash-snippets

Github repository

git clone https://github.com/alexanderepstein/Bash-Snippets
cd Bash-Snippets
git checkout v1.22.0
./install.sh cheat

usage : cheat <command>

root@vps:~ cheat cat
# cat

# Print and concatenate files.

# Print the contents of a file to the standard output:
  cat file

# Concatenate several files into the target file:
  cat file1 file2 > target_file

# Append several files into the target file:
  cat file1 file2 >> target_file

# Number all output lines:
  cat -n file

nanorc - Improved Nano Syntax Highlighting Files

Github repository

wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh

ucaresystem - script to update & cleanup packages easily

sudo add-apt-repository ppa:utappia/stable -y
sudo apt update
sudo apt install ucaresystem-core -y

Run server maintenance with the command :

sudo ucaresystem-core

WP-CLI

Add bash-completion for user www-data

# download wp-cli bash_completion
wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash

# change /var/www owner
chown www-data:www-data /var/www

# download .profile & .bashrc for www-data
wget -O /var/www/.profile https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.profile
wget -O /var/www/.bashrc https://raw.githubusercontent.com/VirtuBox/ubuntu-nginx-web-server/master/docs/files/var/www/.bashrc

# set owner
chown www-data:www-data /var/www/.profile
chown www-data:www-data /var/www/.bashrc

Custom Nginx error pages

Github Repository

Installation

# clone the github repository
sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error

# download nginx configuration
wget -O /etc/nginx/common/error_pages.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/nginx/common/error_pages.conf

Then include this configuration in your nginx vhost by adding the following line

include common/error_pages.conf;

Published & maintained by VirtuBox